Project
smily
ProjectPart1.docx
Project Part 1
By
Risk Assessment plan for Health Network Inc.
Date
20-09-2020
Risk Assessment plan for Health Network Inc.
All organizations in the world face risk. Organizations are at the risk of their business not operating as they are meant; they are at the risk of natural disasters hampering their operations as well as the risk of losing their information due to cybercriminals or other incidences. Businesses and organizations must have risk management measures in place. The measures describe the risks likely to affect an organization as well as detail the actions or the measures in place to prevent the occurrence of both identified and unidentified risks. It is also critical that organizations and organizations have disaster recovery plans. The plans detail the steps to be taken by organizations in the case that risks become a reality. Considering the nature of operations at Health Network Inc., the organization must have a reliable risk Assessment Plan to ensure that it is safe from all possible incidences and also to ensure that its operations continue in case disasters or incidences happen.
Health Network Inc.
The organization is headquartered in Minneapolis, Minnesota. Also, the organization has branches in two other locations; Portland Oregon, and Arlington Virginia. The organization has over 550 employees. The organization makes over $450 million annual revenue. Each of the branches or locations of Health Networks Inc. is near a data center that is managed by a third-party vendor. Also, there are production centers located at the data centers. The three corporate data centers have over a thousand data servers, over 650 corporate laptops and other mobile devices
The organization has three main products. The first product is the HNeTExchange that facilitates the handling of secure electronic medical messages between small customers such as clinics and large customers such as hospitals. The second product is HNetPay which offers a web portal that supports secure payments. Also, the product supports various payment methods. The last product offered by the organization is HNetConnect, a product that allows customers to find doctors as it contains profiles of patients, doctors, and clinics.
The organization as well has an able information technology department that has the role of not only ensuring that all IT infrastructure attached to the organization is working as expected but they also maintain the security of all IT infrastructure owned by the organization. The department has installed several IT controls for its IT equipment and server rooms.
Just like all organizations, Health Network Inc.’s operations are dictated by the information, data that they have collected, the communication channels that they have, the infrastructure that they possess, and the human resource that they have. Any attack whether natural or man-made on the organization’s data centers, communication channel, buildings, employees, and infrastructure would negatively affect the organization and its operations.
Threats to the organization and its operations
There are six main threats to the organization and its operations. The first threat is the loss of the organization’s data due to the production systems being. The second threat is the loss of company information due to the loss of company-owned handheld devices, mobile devices, and laptops. The third threat is the loss of customers due to production outages. The fourth threat is a cyber threat due to company products being accessible on the internet. The fifth threat is insider threats and the last threat is possible changes in the regulatory landscape. To ensure that its operations continue in case any of their main areas are affected, the organization ought to have a risk assessment, mitigation, and disaster recovery plan.
The plan below details how the organization will further protect itself from incidences considering it has already good and reliable measures in place. The plan details the handling of incidences and their management. It also details, the personnel responsible for risk management, disaster management, and recovery. It also explains the actions to be carried to ensure operations continuity and recovery of infrastructure and resources.
Scope
The organization’s risk assessment plan exists for four main reasons. It exists first to identify the weaknesses of the organization and to implement a disaster prevention strategy or program. Secondly, it exists to minimize the duration of serious disruption to the organization’s operations. Thirdly, it exists to facilitate the effective coordination of the organization’s recovery tasks. Lastly, it exists to reduce and demystify the complexity of the organization’s recovery effort. The five phases of disaster recovery will act as the scope of the organization's risk assessment plan. The five phases are risk/disaster identification, mitigation, preparedness, response, and recovery.
Running head: RISK ASSESSMENT PLAN 1
RISK ASSESSMENT PLAN 11
Major Risk Assessment and Business Impact Analysis
|
Risk Event |
Probability |
Impact |
Overall risk rating |
Risk decision |
Proposed mitigation plan |
|
Laptop or mobile device with proprietary data lost or stolen |
high |
high-negative media exposure, exposure of proprietary data, competitive advantage, and trade secret |
high |
Mitigate the likelihood of the risk. |
According to Téllez & Zeadally(2017), all mobile devices to be installed with a device management policy. The banning of take-home laptops will reduce the likelihood of the devices being stolen (Pender-Bey, 2016). |
|
Internal-network break-in from outside |
high |
high-interruption of services and negative media, exposure of proprietary data, loss of competitive advantage, and trade secret |
high |
avoid |
Set up more firewalls to prevent easy access from cybercriminals (Curtin, 2017). Set up strong access credentials just like banks will limit break from the outside (Abbott-McCune & Shay, 2016). |
|
Virus, worm, or Trojan infections |
high |
high- interruption of services and negative media exposure and damage of infrastructure |
high |
mitigate |
Adopting the use of reliable anti-viruses and anti-malware programs will limit the attack surface (Luo & Liao, 2017). Having more firewalls will limit the attack areas of viruses and worms (Ostrovsky & Yung, 2018). |
|
Source code stolen by an external attacker or insider |
high |
High- negative media exposure, exposure of proprietary data, loss of competitive advantage and trade secrets |
high |
avoid |
Changing the location of the source code will prevent the source code from being stolen by an external attack (Xiangyu, Qiuyang & Chandel, 2017). Putting up firewalls to prevent access to the source code. Restricting access to the code (Cheng, Liu & Yao, 2017). |
|
Denial of service attacks |
medium |
Low-impact on operations for a short period |
Medium-low |
transfer |
Adopting the use of reliable anti-viruses and anti-malware programs will limit the attack surface (Imran et al., 2019). Having more firewalls will limit the attack areas (Mahjabin et al., 2017). |
|
A data security breach for personal, financial, and/or customer data |
high |
Medium- potential lawsuits, negative publicity, loss of customers |
Medium-high |
transfer |
Outsourcing the storage of personal, financial, and customer data to prevent the impact of the risk (Li et al., 2019). |
|
Prolonged IT outage |
low |
Low- disruption of services, loss of customers |
Low |
Mitigate/transfer |
Regular backing up will reduce the impact of prolonged IT outage (Krings, 2018). Outsourcing through cloud services will prevent prolonged outage (Monarch, 2020). |
|
An attack against others initiated by code galore employee |
low |
Medium-negative publicity, loss of customers |
Medium-low |
mitigate |
Having system and network access credentials in place will reduce attacks against others initiated by code galore employees. |
|
Sabotage of source code |
medium |
High-interruption of service and operations, negative media exposure, exposure of proprietary data, loss of competitive advantage, and trade secret |
Medium-high |
avoid |
Changing the location of the source code will prevent the source code from being stolen sabotaged easily (Vedeshin et al., 2019). Putting up firewalls to prevent access to the source code. Restricting access to the code (Mitsutoshi & Demachi, 2018). |
Risk Assessment, Incident, and Disaster Recovery teams
For proper handling of risks and incidents, the organization should have incident and recovery teams. The incident command team should comprise at least a member of every unit or department in the organization. The command team will be headed by a risk manager who will be assisted by the affected unit’s head. The incident command team will report to the head of risk management. The incident command team will have two main duties. The team will be responsible for mitigating further damage due to an incident and it will also be responsible for assessing the damage that an incident or disaster has caused and will continue causing due to the ripple effect of an incident happening.
Disaster recovery teams should be headed by risk managers, heads of the affected units, departments, or facilities. All disaster recovery teams should report to the head of risk management. Disaster recovery teams shall be initiated once it has been established that a disaster or incident is in action. Disaster recovery teams have members of different units or departments to ensure that all relevant stakeholders as far as handling a disaster and recovery from a disaster are concerned. According to Wallace and Webber (2017), the role of discovery teams is to oversee the recovery process to ensure business continuity.
References
Wallace, M., & Webber, L. (2017). The disaster recovery handbook: A step-by-step plan to ensure business continuity and protect vital operations, facilities, and assets. Amacom. Retrieved from https://pdfs.semanticscholar.org/53ab/411d01f3296c0737fe439558c98ea1d71b68.pdf
Abbott-McCune, S., & Shay, L. A. (2016, October). Intrusion prevention system of automotive network CAN bus. In 2016 IEEE International Carnahan Conference on Security Technology (ICCST) (pp. 1-8). IEEE. Retrieved from https://ieeexplore.ieee.org/abstract/document/7815711
Cheng, L., Liu, F., & Yao, D. (2017). Enterprise data breach: causes, challenges, prevention, and future directions. Wiley Interdisciplinary Reviews: Data Mining and Knowledge Discovery, 7(5), e1211. Retrieved from https://onlinelibrary.wiley.com/doi/abs/10.1002/[email protected]/(ISSN)1097-0312.India-Mathematics-Day
Corwin, J. (2018). Preventing Pirated Software Use within an Organization. Retrieved from https://scholarsbank.uoregon.edu/xmlui/handle/1794/23439
Curtin, M. (2017). Introduction to network security. document published by LaTeX2HTML translator Version 97.1. Retrieved from http://www.interhack.net/pubs/network-security.pdf
Imran, M., Durad, M. H., Khan, F. A., & Derhab, A. (2019). Toward an optimal solution against denial of service attacks in software-defined networks. Future Generation Computer Systems, 92, 444-453. Retrieved from https://www.sciencedirect.com/science/article/abs/pii/S0167739X18302930
Krings, S. (2018). " Dear Neighbours..." A Comparative Exploration Of Approaches To Managing Risks Related To Hazardous Incidents And Critical Infrastructure Outages. Erdkunde, 72(2), 103-124. Retrieved from https://www.jstor.org/stable/26477868?seq=1
Kurtz, J. (2016). Hacking Wireless Access Points: Cracking, Tracking, and Signal Jacking. Syngress.
Li, T., Convertino, G., Tayi, R. K., & Kazerooni, S. (2019, March). What data should I protect? recommender and planning support for data security analysts. In Proceedings of the 24th International Conference on Intelligent User Interfaces (pp. 286-297). Retrieved from https://dl.acm.org/doi/abs/10.1145/3301275.3302294
Liska, A., & Gallo, T. (2016). Ransomware: Defending against digital extortion. " O'Reilly Media, Inc.". retrieved from https://books.google.com/books?hl=en&lr=&id=IIORDQAAQBAJ&oi=fnd&pg=PR2&dq=How+to+protect+against+hacks+in+an+organization&ots=EuvhGH5-gc&sig=cBYQbjf6BsSxJsbjf37vuwvfsEo
Luo, X., & Liao, Q. (2017). Awareness education as the key to ransomware prevention. Information Systems Security, 16(4), 195-202. Retrieved from https://www.tandfonline.com/doi/abs/10.1080/10658980701576412?journalCode=uiss19
Mahjabin, T., Xiao, Y., Sun, G., & Jiang, W. (2017). A survey of distributed denial-of-service attack, prevention, and mitigation techniques. International Journal of Distributed Sensor Networks, 13(12), 1550147717741463. Retrieved from https://journals.sagepub.com/doi/full/10.1177/1550147717741463
Marcus, D. J. (2018). The Data Breach Dilemma: Proactive Solutions for Protecting Consumers' Personal Information. Duke LJ, 68, 555. Retrieved from https://heinonline.org/HOL/LandingPage?handle=hein.journals/duklr68&div=18&id=&page=
Mitsutoshi, S., & Demachi, K. (2018). Security by facility design for sabotage protection. Journal of Nuclear Science and Technology, 55(5), 559-567.
Monarch, B. (2020). Black start: the risk of grid failure from a cyber attack and the policies needed to prepare for it. Journal of Energy & Natural Resources Law, 38(2), 131-160. Retrieved from https://www.tandfonline.com/doi/full/10.1080/02646811.2020.1744368
Ostrovsky, R., & Yung, M. (2018, July). How to withstand mobile virus attacks. In Proceedings of the tenth annual ACM symposium on Principles of distributed computing (pp. 51-59). Retrieved from https://dl.acm.org/doi/pdf/10.1145/112600.112605
Pender-Bey, G. (2016). The Parkerian Hexad. Information Security Program at Lewis University. Retrieved from http://cs.lewisu.edu/mathcs/msisprojects/papers/georgiependerbey.pdf
Téllez, J., & Zeadally, S. (2017). Mobile Device Security. In Mobile Payment Systems (pp. 19-33). Springer, Cham.
Vedeshin, A., Dogru, J. M. U., Liiv, I., Yahia, S. B., & Draheim, D. (2019). A secure data infrastructure for personal manufacturing based on a novel key-less, byte-less encryption method. IEEE Access, 8, 40039-40056.
Xiangyu, L., Qiuyang, L., & Chandel, S. (2017, October). Social engineering and Insider threats. In 2017 International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery (CyberC) (pp. 25-34). IEEE. Retrieved from https://ieeexplore.ieee.org/abstract/document/8250331
R
unning head:
RISK ASSESSMENT
PLAN
1
Project Part 1
By
Risk Assessment
plan
for
Health Network Inc.
Date
20
-
0
9
-
2020
Running head: RISK ASSESSMENT PLAN 1
Project Part 1
By
Risk Assessment plan for Health Network Inc.
Date
20-09-2020
